Create /etc/ipf/ipf.conf. I suggest starting with rules that allow all traffic:

pass in quick all pass out quick all

/usr/sbin/svcadm enable network/ipfilter

Reboot. You're supposed to be able to replumb but it didn't work for me.

Once the system is up and you verify that you can still use the network, try doing some real rules. Here's an example ipf.conf. It is 'default deny'. I.e. it allows specific things and prohibits everything else. I strongly recommend that. It also runs in stateful mode, which is the only practical way to allow all outgoing transactions and deny incoming.

This example allows all outgoing connections, and incoming for a few services. For a pure client machine I'd remove all the pass in TCP rules and maybe also ICMP. icmp type 8 is needed to respond to ping. 13 is time stamp request, which may or may not matter. With this setting you won't get or process various error mesages that are sent by routers, etc using ICMP. They have been a source of security issues, but may still be useful. Obviously you can turn on all ICMP by removing the icmp-type NN or omit the icmp rules in which case all ICMP incoming will be off. (Note that the instructions in the web page below are wrong for allowing ping. It is icmp type 8, not 0)

pass in quick proto tcp from any to any port = 22 keep state pass in quick proto tcp from any to any port = 80 keep state pass in quick proto tcp from any to any port = 8080 keep state pass in quick proto tcp from any to any port = 443 keep state pass in quick proto icmp from any to any icmp-type 8 keep state pass in quick proto icmp from any to any icmp-type 13 keep state pass out quick from any to any keep state block in quick all

After changing /etc/ipf/ipf.conf, do

ipf -Fa -f /etc/ipf/ipf.conf

Even if you're not going to create a NAT, you'll want one entry in ipnat.conf. It's a proxy that makes FTP work. Otherwise you can only use passive FTP. Put the following in /etc/ipf/ipnat.conf

map bge0 0/0 -> 0/32 proxy port 21 ftp/tcp

Note that is needs your ethernet interface name, which on my machine is bge0. Use ifconfig -a to find your name if you don't know it. This only handles clients who want to use FTP. If you want incoming FTP to work, things get a lot more complex. You'll need to see the full instructions

After changing /etc/ipf/ipnat.conf do

ipnat -CF -f /etc/ipf/ipnat.conf

There's a utility "ipfstat" that will show you the current rules and how they are working. See the man page for details.

The information on Computing.Net is the opinions of its users. Such
opinions may not be accurate and they are to be used at your own risk.
Computing.Net cannot verify the validity of the statements made on this
site. Computing.Net and Purch hereby disclaim all responsibility
and liability for the content of Computing.Net and its accuracy.